Overcoming IPv6 Security Threat

Thanks to everyone who helped out.

cheers
joe baptista

http://www.circleid.com/articles/2533.asp

Overcoming IPv6 Security Threat

September 12, 2002 | By Joe Baptista

Technology rags and industry pundits see IPv6 (Internet Protocol version
6) as the future of networking, but Daniel Golding a participant of the
North American Network Operators' Group (NANOG) thinks it's a "solution in
search of a problem". Many others have argued IPv6 is a problem in itself
and it is unlikely the protocol will gain wide acceptance in the short
term.

IPv6 does solve many of the problems with the current version of IPv4
(Internet Protocol version 4). Its purpose is to expand address space and
fix the IPv4 address depletion problem, which many techies claim, was due
to mismanagement. The industry's goal is to use the very large address
allocation pool in IPv6 to expand the capabilities of the Internet to
enable a variety of peer-to-peer and mobile applications including
cellular phone technology and home networking.

IPv6, a suite of protocols for the network layer, uses IPv4 gateways to
interconnect IPv6 nodes and comes prepackaged with some popular operating
systems. This includes almost all Unix flavors, some Windows versions and
Mac OS. Some vendors offer upgrades to older operating systems. Trumpet
Software International in Tasmania Australia manufactures a Trumpet
Winsock version that upgrades old Windows 95/98 and NT systems to the
current IPv6 standard.

IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor
of IPv8, a competing protocol, sees many hazards and privacy flaws in
existing IPv6 implementations. IPv6 address space in some cases uses an ID
(identifier) derived from your hardware or phone "that allows your packets
to be traced back to your PC or cell-phone" said Fleming. Potential abuse
to user privacy exists as a hardware ID wired into the IPv6 protocol can
be used to determine the manufacturer, make and model number, and value of
the hardware equipment being used. Fleming warns users to think twice
before they buy themselves a used Laptop computer and inherit all the
prior surfing history of the previous user!

IPv6 uses 128 bits to provide addressing, routing, and identification
information on a computer interface or network card. The 128 bits are
divided into the left 64 and the right 64. Some IPv6 systems use the right
64 bits to store an IEEE defined global identifier (EUI64). This
identifier is composed of company id value assigned to a manufacturer by
the IEEE Registration Authority. The 64-bit identifier is a concatenation
of the 24-bit company identification value and a 40-bit extension
identifier assigned by the organization with that company identification
assignment. The 48-bit MAC address of your network interface card may also
be used to make up the EUI64.

In the early stages of IPv6 development, Bill Frezza a General Partner
with the venture capital firm, Adams Capital Management warned software
developers that if privacy issues are not properly addressed, the
migration to IPv6 "will blow up in their face"! Leah Gallegos agrees that
while "expanding the address space is necessary the use of the address for
ID and tracking is horrific". Gallegos the operator of the top-level
domain .BIZ and a Director of the Top Level Domain Association cautions
network administrators that they should refuse to implement IPv6 unless
these issues are properly addressed.

Privacy concerns prompted the creation of new standards, which provide
privacy extensions to IPv6 devices. Thomas Narten and Track Draves of
Microsoft Research published a procedure to ensure privacy of IPv6 users.
Narten, IBM's technical lead on IPv6 and an Area Director for the Internet
Engineering Task Force (IETF), agrees "IPv6 address can, in some cases,
include an identifier derived from a hardware address". But Narten points
out that a hardware address is not required. "In cases where using a
permanent identifier is a problem", said Narten "RFC 3041 addresses should
be used".

RFC 3041 titled "Privacy Extensions for Stateless Address
Autoconfiguration in IPv6" was published this past January 2001 by the
IETF. It is an algorithm developed jointly by Narten and Draves which
generates randomized interface identifiers and temporary addressees during
a user session. This would eliminate the concerns privacy advocates have
with IPv6.

Unfortunately RFC 3041 is not widely implemented. But Narten expects major
vendors to incorporate his privacy standard and offered that Microsoft
implemented privacy extensions "and apparently intends to make it part of
their standard stuff". Narten also assisted in the drafting of
recommendations for some second and third generation cellular phones
recently approved for publication by the Internet Engineering Steering
Group. That document recommends that RFC 3041 be implemented as part of
cellular phone technology but he did not know what direction cell phones
manufacturers were taking. "I suspect that client vendors will generally
implement it because of the potential bad PR if they don't" said Narten.

Another obstacle raised by NANOG operators is that there is currently no
commercial demand for IPv6 at this time. Dave Israel, a Data Network
Engineer and regular participant on NANOG lists, sees no immediate demand
for IPv6 services. "The only people who ask me about IPv6", said Israel
"are people who have heard something about it from some tech-magazine and
want the newest thing". Israel says he sees no commercial demand for a v6
backbone.

Daniel Golding, another NANOG participant agrees, "v6 deployment is being
encouraged by some countries, and the spread of 3G (cellular technology)
is helping things along, but we have yet to see really widespread v6
deployments anywhere". Golding sees major backbone networks deploying IPv6
when it makes economic sense for them to do so. "Right now", said Golding
"there is no demand and no revenue upside. I don't expect this to change
in the near future".

Most on NANOG agree the roadblock seems to be a lack of ISPs that offer
IPv6 services. Stephen Sprunk, a Network Design Consultant with Cisco's
Advanced Services group sees the "greater adoption of always-on broadband
access will be the necessary push" to get IPv6 off the ground. "Enterprise
networks will not be the driver for ISPs to go to IPv6" said Sprunk and
"NAT is too entrenched". Network Address Translation (NAT) is a method of
connecting multiple computers to the Internet (or any other IP network)
using one IPv4 address.

Vint Cerf senior vice president of architecture & technology at WorldCom
has been using IPv6 for about four years. IPv6 has been a key element for
some of WorldCom's Government customers. Cerf thinks IPv6 supporters have
a lot of work ahead to achieve successful deployment of the protocol. He
expects "that over the next several years we will see a lot of consumer
devices set up to work with IPv6" and "cell phones are likely candidates,
as are radio-enabled PDAs".

-EOF

The dot.GOD Registry, Limited
http://www.dot-god.com/

Joe Baptista wrote:

Thanks to everyone who helped out.

But you didn't actually read now did you?
Oh well you are a reporter nobody can blame you for doing work
But to pull some things straight:

" IPv6, a suite of protocols for the network layer,
uses IPv4 gateways to interconnect IPv6 nodes and comes
prepackaged with some popular operating systems. "

Cool, so *NATIVE* IPv6 doesn't exist?
Many transitional techniques use intermediate IPv4 hops to
connect IPv6 islands, that doesn't mean everything uses it.

"IPv6 has suffered bad press over privacy issues.
Jim Fleming, the inventor of IPv8, a competing protocol,
sees many hazards and privacy flaws in existing IPv6 implementations."

Competing? There is <yell>no such thing as Jim Flemings IPv8</yell>
There is IPv8* but that is PIP (The P Internet Protocol) which is
*NOT* the thing Mr. Fla^Heming is spamming about all the time.
* = IP Version Numbers
Maybe Mr. Fleming could write up a draft of his 'standard' sometime?
I could start shouting that you are bad and that Man.v2 is much better
now does that help anywhere?

And one can easily change his/her local EUI so where's the problem
there?
One also mostly comes from the same /48 so where is the problem.

"Another obstacle raised by NANOG operators is that there is currently
no commercial demand for IPv6 at this time."

Which is true in the .US and mostly true in europe, but in Asia there
is demand and IPv6 is happening. And that America is lagging behind ah
well

Next time when you ask things, use them in your articles...

Greets,
Jeroen

This is scarcely the first time that a "reporter" has taken quotes from
NANOG and spliced them together into a news story. Analysts do it too. I
guess one of the weaknesses of this kind of forum is that the kooks (Jim
Fleming) come off looking as credible as those who have a clue (like
Stephen Sprunk or Dave Israel in this case).

Now, please pardon me while I write "do not talk to reporters" on the
blackboard, 500 times.

- Daniel Golding

The sad part is that absolutely clueless articles like this one get
wider distribution than they deserve, and it takes even more travel and
face time to refute the nonsense. In most cases it is hard to tell if
the author is really as clueless as the resulting article would lead you
to believe, or if they intentionally put in garbage to create an
artificial sense of controversy which might lead to even greater
distribution.

Tony

Joe Baptista wrote:

> Thanks to everyone who helped out.
But you didn't actually read now did you?
Oh well you are a reporter nobody can blame you for doing work
But to pull some things straight:

" IPv6, a suite of protocols for the network layer,
uses IPv4 gateways to interconnect IPv6 nodes and comes
prepackaged with some popular operating systems. "

Cool, so *NATIVE* IPv6 doesn't exist?
Many transitional techniques use intermediate IPv4 hops to
connect IPv6 islands, that doesn't mean everything uses it.

http://unfix.org/projects/ipv6/IPv6andIPv4.gif

I'm sure it does - but i'll be damed if i can find it. I have managed to
connect to the 6to4. Would love to connect direct to the 6bone - but have
yet to find a means to do it without some ipv4 connectivity.

"IPv6 has suffered bad press over privacy issues.
Jim Fleming, the inventor of IPv8, a competing protocol,
sees many hazards and privacy flaws in existing IPv6 implementations."

Competing? There is <yell>no such thing as Jim Flemings IPv8</yell>
There is IPv8* but that is PIP (The P Internet Protocol) which is
*NOT* the thing Mr. Fla^Heming is spamming about all the time.
* = IP Version Numbers
Maybe Mr. Fleming could write up a draft of his 'standard' sometime?
I could start shouting that you are bad and that Man.v2 is much better
now does that help anywhere?

I've heard alot about fleming and have seen alot of his posts. I have
heard he's a kook from alot of people but i don't pay much attention to
that. So far on the technical end i've had no issue with his claims.

And let's not forget - years ago I was also called a net kook - now my
name is wispered at various conferences much like priests would speak
badly of the creator with claims i'm the most dangerous man in
communications. I assume that's a step up when laughter turns to tears

Once I'm finished testing IPv6 I do plan to try IPv8 (a la fleming) and
once and for all determine if he's actually real - or just a figment of
our collective deranged imaginations.

I did ask vint if he felt IPv8 was workable. He didn't know. Fleming has
made alot of claims respecting vint - which he was in my opinion unable to
prove when i asked for supporting evidence. But those claims are mainly
personal issues between them.

But when I published the article vint announced for the first time that
ipv8 existed but they decided instead on ipv6. It's a confusing issue at
best but one i'll be looking into.

From what I can see Ipv8 is Ipv6. I still have not figured out what the

difference is between these two beasts. Fleming claims IPv8 will work on
IPv6 technology.

And one can easily change his/her local EUI so where's the problem
there?
One also mostly comes from the same /48 so where is the problem.

I know this - but many users don't and thats where the privacy issue
begins and ends. I am encouraged by I think rfc 3041 which seems to
address the problem.

"Another obstacle raised by NANOG operators is that there is currently
no commercial demand for IPv6 at this time."

Which is true in the .US and mostly true in europe, but in Asia there
is demand and IPv6 is happening. And that America is lagging behind ah
well

correct and thats mainly in G3 which vint addressed.

by the way - very nice site. www.unfix.org - i didn't know putty had ipv6
support - so i'm looking forward to testing it. Already have my 6to4 up
in amsterdam and hope to have another node in toronto or california next
month so the putty program will be useful. It gets boring just playing
with ping6.

By the way is there any reason why developer have not yet integrated IPv6
into the standard ping program or traceroute. It's a bit of a bother
having to ping sites using different programs depending on the protocol.
I assume putty handles both IPv4 and IPv6 - or is there a separate putty
IPv6 program?

regards
joe baptista

Allow me to remove any doubt.

http://www.kkc.net/baptista/

I strongly suggest you just quietly ignore Mr. Baptista. I can assure you
that this is my last post on the subject no matter how he tries to bait me.
It's the only technique that works with him.

Poor D'Arcy - still bitter I see

But thats a substandard reference. Major Tom and Uncle Joe are still the
best of friends - sort of anyway. Only five years ago major tom helped
me liberate some $10,000 worth of hydrophonic marijuana grow equipment
from the Adult SuperStore - a front for the outlaw biker community
operated by Mark Savary. The story was a plant. Never believe what you
read in old rags.

Let us not forget my major accomplishments - the distructions of the
freedom of information system in ontario (which you complained so much
about) - which see;

I warned the public

http://web.elastic.org/~fche/mirrors/old-usenet/baptista

and then i crashed it

http://www.ipc.on.ca/english/orders/orders-m/m-618.HTM

and then there was the day I liberated Wired Magazine of over $100,000
USG, which see

http://www.kkc.net/eye/nv940331.htm

And then there was the most famous event of them all.

unfortunately I can't mention names because of the court order of judge
brown. pity what happens when governments cover up the sexual
exploitation of minors by senior governments officials.

http://www.brentpayton.com/canada/Toronto%20Police%20Chief%20Sues%20for%20Libel.txt

and then there was .... I can go on at length but i think it's best to say
that I've had a good time in life. So try not to be bitter D'Arcy or
you'll end up aging like those failed drag queens - and those high heels
are not your style

http://www.google.ca/search?hl=en&ie=ISO-8859-1&q=D'Arcy+Cain+Baptista&meta=

I've been labeled so many times and have used it to my advantage. Which
is why I never really pay much attention when people make claims like they
do against fleming. In the old days reporting was about investigating the
truth - not paying attention to libel and slander. Now a days I find
reporters are basically PR queens on a budget.

And that's why I got back into the business. I've complained so much
about inaccurate reporting that i finally decided to do something about
it. You should get active too.

cheers
joe

no fair, i dropped some posts to that discussion, i want my credits too!

By the way is there any reason why developer have not yet integrated IPv6
into the standard ping program or traceroute. It's a bit of a bother
having to ping sites using different programs depending on the protocol.
I assume putty handles both IPv4 and IPv6 - or is there a separate putty
IPv6 program?

Read The Source Code.

Alex